frank/ruvnet--RuView
1
0
Fork 0
mirror of https://github.com/ruvnet/RuView synced 2026-06-29 13:33:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fe8fa2ef283ea8a8d3f2a6fa12f215f2c1e6c0a7
ruvnet--RuView/v2/crates/homecore-plugins/src/error.rs
T
ruv 0ca903b497 feat(homecore-plugins): enforce plugin signature + capability isolation (ADR-162 P4/P5) 
ADR-161 honestly relabelled the manifest's wasm_module_hash / wasm_module_sig /
publisher_key as "(P4 — not yet enforced)" and the homecore_permissions claims
as deferred P5 authority isolation. This makes both real and tested.

P4 (signature/integrity verification, SECURITY):
- New `verify` module: SHA-256 module-hash check + Ed25519 signature
  verification over the digest against publisher_key, with a PluginPolicy
  trust allowlist and an explicit AllowUnsigned dev escape hatch (loud warn).
  Secure default rejects unsigned / unknown-publisher / tampered modules.
- Reuses the in-repo cog-ha-matter::witness_signing Ed25519 pattern; sha2 is a
  workspace dep, ed25519-dalek/hex/base64 already in the lock — no new external
  dep tree (only new edges in homecore-plugins).
- WasmtimeRuntime::load_plugin verifies before instantiation; legacy load_wasm
  retained for trusted/test modules.

P5 (authority/capability isolation, SECURITY):
- New `permissions` module: PermissionSet distilled from homecore_permissions
  (state:write:<glob> or bare entity glob). hc_state_set now consults it and
  returns a typed -3 to the guest on an undeclared write (no host panic).

Tests (fail on old code, which had no load_plugin/verify and an unchecked
hc_state_set): tampered module rejected; valid sig from trusted key loads;
valid sig from untrusted key rejected; unsigned rejected by default and loads
only under AllowUnsigned; light.* plugin writes light.kitchen but is denied
lock.front_door; no-permission plugin can write nothing. Real deterministic
keypair signs real bytes.

Manifest doc updated: P4/P5 now ENFORCED (was "not yet enforced").

homecore-plugins --features wasmtime: 32 passed (lib 23, integration 9), 0 failed.

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-06-12 01:33:52 -04:00

48 lines
1.6 KiB
Rust
Raw Blame History

//! `PluginError` — typed error enum for the homecore-plugins crate.
use thiserror::Error;
/// Errors produced by the HOMECORE plugin system.
#[derive(Debug, Error)]
pub enum PluginError {
/// The plugin manifest JSON is missing required fields or is malformed.
#[error("invalid manifest: {0}")]
InvalidManifest(String),
/// A plugin with this ID is already loaded in the registry.
#[error("plugin already loaded: {0}")]
AlreadyLoaded(String),
/// No plugin with this ID is loaded in the registry.
#[error("plugin not found: {0}")]
NotFound(String),
/// The plugin runtime failed to spawn or execute the plugin.
#[error("runtime error: {0}")]
RuntimeError(String),
/// The plugin's `setup` hook returned an error.
#[error("plugin setup failed: {0}")]
SetupFailed(String),
/// The plugin failed signature/integrity verification (ADR-162 P4):
/// hash mismatch, bad signature, untrusted publisher, or unsigned
/// module under a non-dev trust policy.
#[error("plugin signature rejected: {0}")]
SignatureRejected(String),
/// A plugin attempted a host call (e.g. `hc_state_set`) on an entity
/// it did not declare in `homecore_permissions` (ADR-162 P5 authority
/// isolation).
#[error("plugin permission denied: {0}")]
PermissionDenied(String),
/// The plugin's `unload` hook returned an error.
#[error("plugin unload failed: {0}")]
UnloadFailed(String),
/// IO error (manifest file not found, WASM binary missing, etc.).
#[error("io error: {0}")]
Io(#[from] std::io::Error),
}
Reference in New Issue View Git Blame Copy Permalink